From bc083eb5577562403e5d8f9c15741943ad31b2c2 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Feb 27 2015 17:22:34 +0000 Subject: Adjust seccomp fiter for primary architectures and solve aarch64 issue (#1197051) --- diff --git a/openssh-6.7p1-seccomp-aarch64.patch b/openssh-6.7p1-seccomp-aarch64.patch index e11905e..5aeea78 100644 --- a/openssh-6.7p1-seccomp-aarch64.patch +++ b/openssh-6.7p1-seccomp-aarch64.patch @@ -1,6 +1,8 @@ +diff --git a/configure.ac b/configure.ac +index 4065d0e..d59ad44 100644 --- a/configure.ac +++ b/configure.ac -@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary(" +@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) i*86-*) seccomp_audit_arch=AUDIT_ARCH_I386 ;; @@ -16,22 +18,33 @@ if test "x$seccomp_audit_arch" != "x" ; then AC_MSG_RESULT(["$seccomp_audit_arch"]) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 095b04a..59c3682 100644 +index 095b04a..52f6810 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c -@@ -90,8 +90,10 @@ static const struct sock_filter preauth_insns[] = { +@@ -90,8 +90,20 @@ static const struct sock_filter preauth_insns[] = { /* Load the syscall number for checking. */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), - SC_DENY(open, EACCES), -+ SC_DENY(openat, EACCES), /* no open() on AArch64 */ -+#ifdef __NR_stat - SC_DENY(stat, EACCES), +- SC_DENY(stat, EACCES), ++ SC_DENY(openat, EACCES), ++#ifdef __NR_open ++ SC_DENY(open, EACCES), /* - AArch64 */ ++#endif ++#ifdef __NR_fstat ++ SC_DENY(fstat, EACCES), /* + x86_64 */ ++#endif ++#if defined(__NR_stat64) && defined(__NR_fstat64) ++ SC_DENY(stat64, EACCES), /* + ix86, arm */ ++ SC_DENY(fstat64, EACCES), ++#endif ++#ifdef __NR_newfstatat ++ SC_DENY(newfstatat, EACCES), /* + Aarch64 */ +#endif SC_ALLOW(getpid), SC_ALLOW(gettimeofday), SC_ALLOW(clock_gettime), -@@ -111,12 +113,16 @@ static const struct sock_filter preauth_insns[] = { +@@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = { SC_ALLOW(shutdown), #endif SC_ALLOW(brk), @@ -44,6 +57,9 @@ index 095b04a..59c3682 100644 +#ifdef __NR_select /* Not available on AArch64 */ SC_ALLOW(select), #endif ++#ifdef __NR_pselect6 /* + AArch64 */ ++ SC_ALLOW(pselect6), ++#endif +#endif SC_ALLOW(madvise), #ifdef __NR_mmap2 /* EABI ARM only has mmap2() */